Trouble with OpenVPN and policy-based routing - pfSense eating syn/acks



  • I have two pfSense boxes, one running 2.0.2 (central site) and one running 2.0 (remote site).  I have traffic going over an OpenVPN tunnel between the two.  The remote site has a policy-routing rule on the LAN that sends all traffic from the LAN over the OpenVPN tunnel.  The remote site also has an "allow all" rule on the OpenVPN interface.  Connections initiated from the remote site work fine.  Connections initiated from the central site die.

    Here is the output of two tcpdumps from the remote site.  vr0 is the LAN interface and ovpnc1 is the OpenVPN tunnel interface.  192.0.2.1 is an IP at the central site and 10.2.100.20 is an IP at the remote site.  This connection was initiated by 192.0.2.1, which shows the connection hanging.

    tcpdump -i ovpnc1 -n "host 192.0.2.1"
    tcpdump: verbose output suppressed, use -v or -vv for full protocol decodelistening on ovpnc1, link-type NULL (BSD loopback), capture size 96 bytes
    14:35:14.530362 IP 192.0.2.1.35605 > 10.2.100.20.443: Flags [s], seq 2292351839, win 5840, options [mss 1382,sackOK,T
    S val 3162135595 ecr 0,nop,wscale 7], length 0
    
    [code]tcpdump -i vr0 -n "host 192.0.2.1"
    tcpdump: verbose output suppressed, use -v or -vv for full protocol decodelistening on vr0, link-type EN10MB (Ethernet), capture size 96 bytes
    14:35:14.530530 IP 192.0.2.1.35605 > 10.2.100.20.443: Flags [s], seq 2292351839, win 5840, options [mss 1382,sackOK,TS val 3162135595 ecr 0,nop,wscale 7], length 0
    14:35:14.531452 IP 10.2.100.20.443 > 192.0.2.1.35605: Flags [S.], seq 347545913, ack 2292351840, win 8192, options [mss 1460,nop,wscale 8,sackOK,TS val 12690977 ecr 3162135595], length 0
    14:35:17.544084 IP 10.2.100.20.443 > 192.0.2.1.35605: Flags [S.], seq 347545913, ack 2292351840, win 8192, options [m
    ss 1460,nop,wscale 8,sackOK,TS val 12691278 ecr 3162135595], length 0
    
    You can see that the initial SYN comes in fine through the OpenVPN interface, and is transmitted onto the LAN.  The reply SYN/ACK comes in on the LAN interface but never shows up on the OpenVPN interface.  Nothing relevant shows up in the firewall logs.
    
    I tried changing the state type on the rules on the LAN and the OpenVPN interface from the default "keep state" to both "sloppy state" and "no state" but I observed no difference in behavior.  I also tried setting the TCP flags on the LAN rule to "any flags" but that didn't seem to make a difference either.
    
    Any suggestions for other things to try?[/s][/code][/s]
    

  • Rebel Alliance Developer Netgate

    Does the target firewall (on 10.2.100.x) have a route back to 192.0.2.0/24?

    OpenVPN interfaces don't get reply-to on their rules (They do on 2.1 iff you have the interface assigned and only have rules on the interface tab to match that inbound traffic), which means that the traffic follows the routing table, it doens't go back out the way it came in.


Locked